Major software vulnerabilities are a fact of life, as illustrated by the fact that Microsoft has patched between 55 and 110 vulnerabilities each month this year – with 7% to 17% of those vulnerabilities being critical.
May had the fewest vulnerabilities, with a total of 55 and only four considered critical. The problem is that the critical vulnerabilities are things we have seen for many years, like remote code execution and privilege escalation.
Microsoft isn’t the only big name regularly patching major vulnerabilities: We see monthly security updates coming from Apple, Adobe, Google, Cisco, and others.
Everything old is new again
With major vulnerabilities in so many applications, is there any hope for a secure future? The answer is, of course, yes, but that does not mean there won’t be challenges getting there.
The vulnerabilities being seen may not be new to those of us who have been defending against attackers for years or even decades, but the adversaries continually change their tactics.
It is not uncommon for them to use legitimate resources for nefarious purposes, and it may not always be possible to plan for this misuse when an application is being built.